-
-
Notifications
You must be signed in to change notification settings - Fork 360
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Removed textile #535
Removed textile #535
Conversation
You're Pull Request scored a 0.05 out of a possible +5 on the sentiment scale. Here's a gif representation of your PR: |
closes #305 as we don't use Textile anyways for any critical operations. |
Removed. |
This issue is still unresolved as the Slate upload API key is exposed client-side and there are other issues with the application flow as files are upload prior to an on-chain transaction. To demonstrate these issues, I was able to upload a SVG graphic which contains a XSS payload without recording a transaction on-chain. https://kodadot.mypinata.cloud/ipfs/bafkreif72qk6ykwj2dthg6ar6r3w5u5tsmv2rqig2epv3pkaoxz6wqhwaa
If this image is processed within your web application it will execute the embedded javascript payload. If this was weaponized, this exploit could potentially be used to manipulate a users transactions or wallet. |
In case the example above isn't apparent as you need to load the image inside an HTML page context, I have also uploaded a javascript file containing the same xss payload which does execute in the context of your kodadot.mypinata.cloud endpoint. https://kodadot.mypinata.cloud/ipfs/bafkreidjoa34lblzi3kmh7ozn5ytuc5f7vuxslvw4qno5mvlv4qjdd7iwi |
We are using Slate to put your files in the background to accelerate the pinning process till the user figures out filling up credentials, it's a sort of experimental way how to speed up the process. I guess till we'll introduce some authentication system, this will be always in place. We can think of running a script, which checks which files aren't minted with a particular IPFS hash and remove them if that is the case.
Speaking of XSS, I've noticed we forgot to set XSS headers. Adding
should mitigate most of the basic stuff I guess, thanks for noticing! I guess going through basic owasp stuff would be good for long-term security, revisit on scenarios on CSP, CSRF.. seems now we are getting D at https://securityheaders.com/?q=nft.kodadot.xyz&followRedirects=on Speaking of *.pinata.cloud, we have no power there and we should reach out to pinata provider to add some headers there as seems terrible F, that's probably why your XSS works? |
Ok, seems got level up in few minutes. I'm happy to see if you can demonstrate that XSS now if you mint some SVG? |
And we are at A-grade policy, let me look on permissions policy, seems something new https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/ |
@x676f64 Hey, you should state it's PoC for minor components :) |
Removing textile from project as we do not use it anymore.
@yangwao please also remove key from ENV on Netlify.